The UK government released the Huawei Cyber Security Evaluation Centre oversight board’s 2018 annual report on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks of Huawei’s involvement in UK critical infrastructure by evaluating the security of Huawei products used in the UK telecommunications market.
The oversight board was set up in 2014 to assess HCSEC’s performance relating to UK product deployments. It comprises senior representatives from government and the UK telecommunications sector and a senior executive from Huawei.
For those worried about Huawei’s involvement in Australia’s 5G network, the oversight board’s report does not make reassuring reading.
The central concern in the debate over Huawei’s participation in Australia’s 5G network is that Chinese intelligence services could compel or coerce Huawei to leverage its involvement in critical infrastructure to enable espionage.
China has certainly demonstrated an intent to conduct wide-ranging espionage in Australia. There’s now a large body of evidence that China has been behind an array of data breaches, including at the Bureau of Meteorology; the departments of Defence, Prime Minister and Cabinet, and Foreign Affairs and Trade; and the parliamentary email system. But beyond what could be described as ‘legitimate’ espionage targeting government agencies, there have also been thefts of intellectual property, commercial-in-confidence material and trade secrets for commercial advantage from companies such as BHP, Rio Tinto and Fortescue Metals.
China’s intelligence services also have the ability to compel Huawei to assist them with their intelligence work.
Article 7 of China’s National Intelligence Law says that ‘[a]ll organizations and citizens shall support, assist, and cooperate with state intelligence work according to law’ and Article 14 states that national intelligence agencies ‘may request that concerned organs, organizations, and citizens provide necessary support, assistance, and cooperation’. In addition, Article 10 says that ‘national intelligence work institutions are to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroad’.
I’ve previously written about how Huawei could be used to enable espionage, with or without Huawei corporate’s complicity. Espionage doesn’t necessarily require sophisticated ‘backdoors’— even compelling Chinese engineers to assist could enable Chinese intelligence services to get useful access to Australia’s 5G network.
This demonstrated intent combined with the power provided by legal obligations imposed by Beijing means that Chinese companies like Huawei carry additional supply-chain risk compared with companies from countries without a long history of cyberespionage and/or countries without laws that specifically compel cooperation with intelligence agencies.
On the face of it, the UK approach to mitigate this supply-chain risk with HCSEC—assessing products to reassure ourselves that they are operating as expected—seems entirely reasonable. Can’t we assess products to make sure they won’t be used to spy on us?
The four HCSEC oversight board annual reports (2015, 2016, 2017 and 2018) show that it is very difficult indeed.
On the bright side, the reports have consistently stated that ‘HCSEC continues to provide unique, world-class cyber security expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UK’.
HCSEC is also developing new tools and techniques to better understand security assurance in telecommunications, has found vulnerabilities that Huawei has subsequently remediated, and is actually improving Huawei’s basic engineering and security processes and code quality. These efforts have resulted in a more secure Huawei product.
Despite all this, the three most recent board reports have noted that HCSEC cannot confirm that what it has been testing matches what Huawei is using in the UK: the source code HCSEC has been given (that is, the computer instructions for Huawei’s equipment) doesn’t correspond with what has been deployed in the UK. So, much of the security testing that HCSEC has been doing may be irrelevant to the security of products used in the UK. At this point, the oversight board ‘can offer only limited assurance’.
This year’s report also indicates that some security-critical third-party software used in Huawei equipment is ‘not subject to sufficient control’. This is viewed as possibly a significant risk to UK telecommunications infrastructure mostly because of inconsistent product support lifetimes.
Overall, the report describes HCSEC as a high-functioning, world-class security evaluation centre. However, the board cautions that confidence in HCSEC’s ability to provide ‘long term technical assurance of sufficient scope and quality around Huawei in the UK’ is declining due to the ‘repeated discovery of critical shortfalls’ in ‘Huawei engineering practices and processes that will cause long term increased risk in the UK’.
Worse yet, the trend across the four oversight board reports suggests that as HCSEC has improved in capability, confidence that the security evaluation process will sufficiently mitigate risks has declined—the more HCSEC learned, the less confident they were.
There is a simple lesson for Australia from the HCSEC oversight board reports: using Huawei in our 5G network will introduce risks that we will find very difficult to mitigate.